I just was wondering what the best exploit and payload would be for getting a command shell on a windows XP SP2/SP3 machine. The XP machine would be assumed to be current with updates...
I find it quite a challange as every attempt I have tried returned with no session...:(

11-24-2009, 06:47 PM

Lincoln

If you're attacking the OS directly and it's fully patched (ex: ms08-067) you will have no luck. You will have to look at either attacking installed applications (ftp, smtp, etc) or look into a client side attack.

11-24-2009, 07:17 PM

thorin

If the machine is patched then the "best" exploit would likely be one that doesn't exist yet which leverages a vulnerability which hasn't been identified yet.

11-24-2009, 08:20 PM

bfrick50

Ok say I rigged my vm of windows XP so that it has been fully patched but oops I forgot to close port 21 and 80. Could these be "metasploited"?

11-24-2009, 08:30 PM

purehate

Quote:

Originally Posted by bfrick50

Ok say I rigged my vm of windows XP so that it has been fully patched but oops I forgot to close port 21 and 80. Could these be "metasploited"?

Well what is running on port 21? you need the name of the service and the version number. Same with port 80. Then you hit google and try to find a vulnerability. So the short answer is no. This stuff takes tons of time, research,pouring over boring code and caffeine.

11-24-2009, 08:39 PM

Lincoln

The easiest way to setup your vm lab with minimal work would be match an exploit in metasploit, and install the vulnerable software to your target machine.

Ok say I rigged my vm of windows XP so that it has been fully patched but oops I forgot to close port 21 and 80. Could these be "metasploited"?

Ok, I'm in a good mood so I'll spoon feed :eek:

IT/Security 101.....

An exploit takes advantage of a weakness (also known as a vulnerability), patches correct vulnerabilities.

If a vulnerability exists within the service running/listening on a particular port (21 or 80) then yes it can be exploited. Assuming a) it's a brand new vulnerability that you've discovered (for which there is no patch [yet]) or b) it's an old vulnerability which has not had the corresponding and correcting patch applied.

11-24-2009, 09:49 PM

bfrick50

Great,
Thank you all for clearing up the fog in my brain relating to exploits!

11-25-2009, 01:04 PM

imported_WickedClown

The best way to exploit a full patch windows XP.is to Create a payload with metasploit, attached that payload using your friendly microsoft iexpress to a nice little fun game you download of the web. Send and execute on your test VM. When you run the game and close it, the metasploit payload will be executed.

OR!! your can use browser exploits, you can use metasploit to act as a website, and just browse to your machine and hopefully, pop you can command.. if you got wireless check out karmetasploit.